技术领域Technical field
本发明涉及对客户终端与对象终端之间的通信进行中继的中继方法、中继系统以及中继用程序。The present invention relates to a relay method, a relay system, and a relay program for relaying communication between a client terminal and a target terminal.
背景技术Background technique
在进行IoT(Internet of Things,物联网)系统的维护、运用、管理时,能够对作为IoT设备的对象终端进行访问。作为用户访问对象终端的方法,在专利文献1中公开了根据来自用户的请求而通知分配给对象终端的全局IP地址的系统。When maintaining, operating, and managing an IoT (Internet of Things) system, it is possible to access target terminals that are IoT devices. As a method for a user to access a target terminal, Patent Document 1 discloses a system that notifies a global IP address assigned to the target terminal in response to a request from the user.
现有技术文献existing technical documents
专利技术文献Patent technical documents
专利技术文献1:日本专利第5973049号公报Patent technical document 1: Japanese Patent No. 5973049
发明内容Contents of the invention
发明要解决的课题Invent the problem to be solved
通过向对象终端分配全局IP地址,用户能够使用全局IP地址容易地访问对象终端。但是,如果向对象终端分配全局IP地址,则由于用户以外的第三者能够访问对象终端,因此产生安全方面的风险。By assigning a global IP address to the target terminal, the user can easily access the target terminal using the global IP address. However, if a global IP address is assigned to the target terminal, a third party other than the user can access the target terminal, thereby creating a security risk.
因此,鉴于上述问题而做出,其目的在于提供一种能够安全地访问对象终端的中继方法、中继系统以及中继用程序。Therefore, this invention was made in view of the above-mentioned problem, and it aims at providing a relay method, a relay system, and a relay program which can securely access a target terminal.
解决问题所需的手段means needed to solve the problem
本发明的第一方式的中继方法,由对客户终端与所述客户终端的通信目的地即对象终端之间的通信进行中继的中继系统执行,该方法具有以下步骤:获得步骤,从所述客户终端获得识别所述对象终端的终端识别信息;确定步骤,一旦获得所述终端识别信息,则在所述中继系统具备的多个中继装置中确定对所述通信进行中继的第一中继装置,并确定用于所述客户终端与所述第一中继装置连接的连接用信息;存储控制步骤,将所述连接用信息和所述终端识别信息相关联地存储在存储部中;通知步骤,向所述客户终端通知所确定的所述连接用信息;以及中继步骤,所述第一中继装置一旦从所述客户终端接收到基于所述连接用信息的访问,则基于在所述存储部中与该连接用信息相关联的所述终端识别信息,对所述客户终端与所述对象终端之间的通信进行中继。A relay method according to a first aspect of the present invention is executed by a relay system that relays communication between a client terminal and a target terminal that is a communication destination of the client terminal. The method has the following steps: obtaining, from The client terminal obtains terminal identification information that identifies the target terminal; and the determining step includes determining, among a plurality of relay devices provided by the relay system, the one that relays the communication, once the terminal identification information is obtained. a first relay device, and determine connection information for connecting the client terminal to the first relay device; a storage control step, associate the connection information with the terminal identification information and store it in the storage in the section; a notification step of notifying the determined connection information to the client terminal; and a relay step of once the first relay device receives access based on the connection information from the client terminal, Then, based on the terminal identification information associated with the connection information in the storage unit, communication between the client terminal and the target terminal is relayed.
在所述中继步骤中,所述第一中继装置可基于存储在所述存储部中的所述终端识别信息确定与所述对象终端连接的第二中继装置,并经由所确定的所述第二中继装置对所述客户终端与所述对象终端之间的通信进行中继。In the relaying step, the first relay device may determine a second relay device connected to the target terminal based on the terminal identification information stored in the storage unit, and determine the second relay device via the determined terminal identification information. The second relay device relays communication between the client terminal and the target terminal.
所述中继系统可包括构成移动网络的多个中继装置,并且所述对象终端与所述移动网络连接,所述对象终端分配有在所述移动网络的内部可访问的私有地址,在所述中继步骤中,所述第一中继装置基于所述对象终端的私有地址进行自身与所述对象终端的通信,由此对所述客户终端与所述对象终端之间的通信进行中继。The relay system may include a plurality of relay devices constituting a mobile network, and the target terminal may be connected to the mobile network, and the target terminal may be assigned a private address accessible within the mobile network. In the relay step, the first relay device communicates with the target terminal based on the private address of the target terminal, thereby relaying the communication between the client terminal and the target terminal. .
在所述存储控制步骤中,所述中继系统可进一步将在与所述对象终端的通信中使用的所述对象终端的端口号与所述连接用信息相关联地存储在所述存储部中,在所述中继步骤中,所述第一中继装置基于在所述存储部中与所述连接用信息相关联的终端识别信息以及所述对象终端的端口号,建立与所述对象终端的连接。In the storage control step, the relay system may further store, in the storage unit, a port number of the target terminal used in communication with the target terminal in association with the connection information. , in the relay step, the first relay device establishes a connection with the target terminal based on the terminal identification information associated with the connection information in the storage unit and the port number of the target terminal. Connection.
在所述获得步骤中,所述中继系统还可从所述客户终端获得所述对象终端的端口号,在所述存储控制步骤中,所述中继系统进一步将所获得的所述对象终端的端口号与所述连接用信息相关联地存储在所述存储部中。In the obtaining step, the relay system may also obtain the port number of the target terminal from the client terminal. In the storage control step, the relay system further obtains the target terminal's port number. The port number is stored in the storage unit in association with the connection information.
在所述存储控制步骤中,所述中继系统可将包含所述第一中继装置的端口号的所述连接用信息存储在所述存储部中,在所述通知步骤中,所述中继系统向所述客户终端通知包含所述第一中继装置的地址以及端口号的所述连接用信息,在所述中继步骤中,所述第一中继装置从所述客户终端接收基于包含在所述连接用信息中的所述第一中继装置的地址以及端口号的访问。In the storage control step, the relay system may store the connection information including the port number of the first relay device in the storage unit, and in the notification step, the The relay system notifies the client terminal of the connection information including the address and port number of the first relay device. In the relay step, the first relay device receives from the client terminal the connection information based on Access to the address and port number of the first relay device included in the connection information.
在所述存储控制步骤中,所述中继系统可进一步将有效期信息与所述连接用信息相关联地存储在所述存储部中,所述有效期信息表示所述客户终端和所述对象终端之间能够进行通信的期限,在所述中继步骤中,所述第一中继装置在从所述客户终端接收到基于所述连接用信息的访问的情况下,一旦基于在所述存储部中与该连接用信息相关联的有效期信息而判定为能够进行通信,则对所述客户终端与所述对象终端之间的通信进行中继,一旦判定为不能进行通信,则切断所述客户终端与所述对象终端之间的通信的中继。In the storage control step, the relay system may further store validity period information indicating a relationship between the client terminal and the target terminal in the storage unit in association with the connection information. period within which communication can be carried out, in the relay step, when the first relay device receives access based on the connection information from the client terminal, once based on the information stored in the storage unit, If it is determined that communication is possible based on the validity period information associated with the connection information, the communication between the client terminal and the target terminal is relayed. If it is determined that communication is not possible, the client terminal and the target terminal are disconnected. Relay of communication between the target terminals.
在所述获得步骤中,所述中继系统还可从所述客户终端获得所述有效期信息,在所述存储控制步骤中,所述中继系统可进一步将所获得的所述有效期信息与所确定的所述连接用信息相关联地存储在所述存储部中。In the obtaining step, the relay system may also obtain the validity period information from the client terminal, and in the storage control step, the relay system may further combine the obtained validity period information with the The determined connection information is associated and stored in the storage unit.
在所述获得步骤中,所述中继系统还可从所述客户终端获得地址信息,所述地址信息表示与所述对象终端进行通信时的所述客户终端的地址,在所述存储控制步骤中,所述中继系统进一步将所获得的所述地址信息与所确定的所述连接用信息相关联地存储在所述存储部中,在所述中继步骤中,与所述连接用信息对应的所述第一中继装置在从所述客户终端接收到基于该连接用信息的访问的情况下,一旦判定为该客户终端的地址与在所述存储部中与该连接用信息相关联的地址信息对应,则对所述客户终端和所述对象终端之间的通信进行中继,一旦判定为不与地址信息对应,则切断所述客户终端和所述对象终端之间的通信的中继。In the obtaining step, the relay system may also obtain address information from the client terminal. The address information represents the address of the client terminal when communicating with the target terminal. In the storage control step, , the relay system further stores the obtained address information in the storage unit in association with the determined connection information, and in the relay step, the connection information is associated with the connection information. When the corresponding first relay device receives an access based on the connection information from the client terminal, it determines that the address of the client terminal is associated with the connection information in the storage unit. If the address information does not correspond to the address information, the communication between the client terminal and the target terminal is relayed. Once it is determined that the address information does not correspond, the communication between the client terminal and the target terminal is cut off. Continue.
在所述中继步骤中,所述第一中继装置可在从所述客户终端接收基于所述连接用信息的访问时,进一步获得表示所述客户终端是否合格的客户信息,一旦基于该客户信息判定为所述客户终端合格,则中继所述客户终端与所述对象终端的通信,一旦判定为所述客户终端不合格,则切断所述客户终端与所述对象终端的通信的中继。In the relay step, when receiving access based on the connection information from the client terminal, the first relay device may further obtain customer information indicating whether the client terminal is qualified. If the information determines that the client terminal is qualified, the communication between the client terminal and the target terminal is relayed. If it is determined that the client terminal is unqualified, the relay of the communication between the client terminal and the target terminal is cut off. .
在所述中继步骤中,所述第一中继装置可在自身与所述客户终端之间对数据进行加密来进行通信,在自身与所述对象终端之间不对数据进行加密来进行通信,由此对所述客户终端与所述对象终端之间的通信进行中继。In the relaying step, the first relay device may communicate by encrypting data between itself and the client terminal, and may communicate by not encrypting data between itself and the target terminal, Thereby, communication between the client terminal and the target terminal is relayed.
本发明的第二方式的中继系统,具备连接管理装置和多个中继装置,并对客户终端与所述客户终端的通信目的地即对象终端之间的通信进行中继,所述连接管理装置具有:获得部,从所述客户终端获得识别所述对象终端的终端识别信息;确定部,一旦获得所述终端识别信息,则在所述中继系统具备的多个中继装置中确定对所述通信进行中继的第一中继装置,并确定用于所述客户终端与所述第一中继装置连接的连接用信息;存储控制部,将所述连接用信息和所述终端识别信息相关联地存储在存储部中;以及通知部,向所述客户终端通知所确定的所述连接用信息,其中,所述第一中继装置具有中继部,所述中继部一旦从所述客户终端接收到基于所述连接用信息的访问,则基于在所述存储部中与该连接用信息相关联的所述终端识别信息,对所述客户终端与所述对象终端之间的通信进行中继。A relay system according to a second aspect of the present invention includes a connection management device and a plurality of relay devices, and relays communication between a client terminal and a target terminal that is a communication destination of the client terminal. The connection management device The device includes: an obtaining unit that obtains terminal identification information identifying the target terminal from the client terminal; and a determining unit that once obtains the terminal identification information, determines the target terminal among a plurality of relay devices included in the relay system. a first relay device that relays the communication, and determines connection information for connecting the client terminal to the first relay device; and a storage control unit that identifies the connection information and the terminal The information is stored in the storage unit in association with each other; and a notification unit notifies the client terminal of the determined connection information, wherein the first relay device has a relay unit, and the relay unit once When the client terminal receives access based on the connection information, the client terminal performs the communication between the client terminal and the target terminal based on the terminal identification information associated with the connection information in the storage unit. Communications are relayed.
本发明的第三方式的中继用程序,使对客户终端与所述客户终端的通信目的地即对象终端之间的通信进行中继的中继系统具备的计算机作获得部、确定部、存储控制部和通知部发挥功能,其中,获得部从所述客户终端获得识别所述对象终端的终端识别信息,确定部一旦获得所述终端识别信息,则在所述中继系统具备的多个中继装置中确定对所述通信进行中继的第一中继装置,并确定用于所述客户终端与所述第一中继装置连接的连接用信息,存储控制部将所述连接用信息和所述终端识别信息相关联地存储在存储部中,通知部向所述客户终端通知所确定的所述连接用信息。A relay program according to a third aspect of the present invention causes a computer included in a relay system that relays communications between a client terminal and a target terminal that is a communication destination of the client terminal to function as an acquisition unit, a determination unit, and a storage unit. The control unit and the notification unit function, wherein the acquisition unit acquires terminal identification information identifying the target terminal from the client terminal, and the determination unit once obtains the terminal identification information, among the plurality of terminals included in the relay system. Determine a first relay device that relays the communication among the relay devices, and determine connection information for connecting the client terminal to the first relay device, and the storage control unit combines the connection information with the first relay device. The terminal identification information is stored in the storage unit in association with the terminal identification information, and the notification unit notifies the client terminal of the determined connection information.
发明效果Invention effect
根据本发明,获得能够安全地访问对象终端的效果。According to the present invention, the effect of being able to securely access the target terminal is obtained.
附图说明Description of the drawings
图1是表示本实施方式的中继系统的概要的图。FIG. 1 is a diagram showing an overview of the relay system according to this embodiment.
图2是表示本实施方式的连接管理装置的结构的图。FIG. 2 is a diagram showing the structure of the connection management device according to this embodiment.
图3是表示本实施方式的第一中继装置的结构的图。FIG. 3 is a diagram showing the structure of the first relay device according to this embodiment.
图4是表示本实施方式的第二中继装置的结构的图。FIG. 4 is a diagram showing the structure of the second relay device according to this embodiment.
图5是表示认证信息的登记的处理流程的顺序图。FIG. 5 is a sequence diagram showing the processing flow of registration of authentication information.
图6是表示确定进行通信的中继的第一中继装置的处理流程的顺序图。FIG. 6 is a sequence diagram showing a processing flow of determining a first relay device for relaying communication.
图7是表示通信的中继的处理流程的顺序图。FIG. 7 is a sequence diagram showing a processing flow of communication relay.
具体实施方式Detailed ways
[中继系统S的概要][Overview of relay system S]
图1是表示本实施方式的中继系统S的概要的图。中继系统S是对客户终端4与作为IoT设备的对象终端5之间的通信进行中继的系统。FIG. 1 is a diagram showing an overview of the relay system S according to this embodiment. The relay system S is a system that relays communication between the client terminal 4 and the target terminal 5 that is an IoT device.
中继系统S包括连接管理装置1、构成4G或5G等移动网络的多个第一中继装置2、以及多个第二中继装置3。第一中继装置2是配置在移动网络中的核心网络的外部的网络中的代理服务器。第二中继装置3是配置在移动网络中的核心网络的内部的网络中的代理服务器。对象终端5配置在移动网络的内部,并分配有移动网络中的私有IP地址。对象终端5与多个第二中继装置3中的某一个连接。另外,在图1中,仅示出一个对象终端5,但实际上存在多个对象终端5。The relay system S includes a connection management device 1, a plurality of first relay devices 2, and a plurality of second relay devices 3 constituting a mobile network such as 4G or 5G. The first relay device 2 is a proxy server arranged in a network outside the core network in the mobile network. The second relay device 3 is a proxy server arranged in the internal network of the core network in the mobile network. The target terminal 5 is placed inside the mobile network, and is assigned a private IP address in the mobile network. The target terminal 5 is connected to any one of the plurality of second relay devices 3 . In addition, in FIG. 1 , only one target terminal 5 is shown, but there are actually a plurality of target terminals 5 .
中继系统S的连接管理装置1从客户终端4获得SIM(Subscriber IdentityModule,用户识别模块)固有号码,该SIM固有号码作为识别远程访问的终端即对象终端5的终端识别信息。SIM固有号码例如是IMSI(International Mobile Subscriber Identity,国际移动用户识别码)。The connection management device 1 of the relay system S obtains a SIM (Subscriber Identity Module) unique number from the client terminal 4 as terminal identification information for identifying the target terminal 5 that is the terminal for remote access. The SIM-specific number is, for example, IMSI (International Mobile Subscriber Identity).
连接管理装置1如果从客户终端4获得SIM固有号码,则在多个第一中继装置2中确定对客户终端4和对象终端5之间的通信进行中继的第一中继装置2,并确定用于客户终端4与该第一中继装置2连接的连接用信息。在图1所示的示例中,连接管理装置1将第一中继装置2-1确定为对客户终端4与对象终端5之间的通信进行中继的第一中继装置2,并确定用于客户终端4与第一中继装置2-1连接的连接用信息。When the connection management device 1 obtains the SIM unique number from the client terminal 4, it determines the first relay device 2 that relays the communication between the client terminal 4 and the target terminal 5 among the plurality of first relay devices 2, and Connection information for connecting the client terminal 4 to the first relay device 2 is determined. In the example shown in FIG. 1 , the connection management device 1 determines the first relay device 2 - 1 as the first relay device 2 that relays the communication between the client terminal 4 and the target terminal 5 , and determines the user terminal 2 - 1 to be used. Connection information for connecting the client terminal 4 to the first relay device 2-1.
连接管理装置1将所确定的连接用信息与SIM固有号码相关联地存储在存储部中,并且将该连接用信息向客户终端4通知。客户终端4基于从连接管理装置1通知的连接用信息,访问多个第一中继装置2中的某一个。由客户终端4访问的第一中继装置2基于在存储部中与连接用信息相关联的SIM固有号码,确定与对象终端5连接的第二中继装置3,并经由所确定的第二中继装置3对客户终端4与对象终端5之间的通信进行中继。The connection management device 1 stores the determined connection information in the storage unit in association with the SIM unique number, and notifies the client terminal 4 of the connection information. The client terminal 4 accesses one of the plurality of first relay devices 2 based on the connection information notified from the connection management device 1 . The first relay device 2 accessed by the client terminal 4 specifies the second relay device 3 connected to the target terminal 5 based on the SIM unique number associated with the connection information in the storage unit, and transmits the data via the determined second relay device 2 . The relay device 3 relays communication between the client terminal 4 and the target terminal 5 .
在图1所示的示例中,第一中继装置2-1将第二中继装置3-2确定为与对象终端5连接的第二中继装置3。第一中继装置2-1经由第二中继装置3-2对客户终端4与对象终端5之间的通信进行中继。In the example shown in FIG. 1 , the first relay device 2-1 determines the second relay device 3-2 as the second relay device 3 connected to the target terminal 5. The first relay device 2-1 relays communication between the client terminal 4 and the target terminal 5 via the second relay device 3-2.
这样,由于中继系统S使客户终端4为了与对象终端5进行通信而连接的连接目的地即第一中继装置2可变,因此难以由第三者确定作为该连接目的地的第一中继装置2,从而能够提高安全性。In this way, since the relay system S makes the first relay device 2, which is the connection destination to which the client terminal 4 connects to communicate with the target terminal 5, variable, it is difficult for a third party to determine the first relay device 2 as the connection destination. relay device 2, thereby improving safety.
[连接管理装置1的结构][Structure of connection management device 1]
接着,说明中继系统S具备的连接管理装置1、第一中继装置2以及第二中继装置3的结构。首先,说明连接管理装置1的结构。图2是表示本实施方式的连接管理装置1的结构的图。如图2所示,连接管理装置1具备通信部11、存储部12和控制部13。Next, the structures of the connection management device 1, the first relay device 2, and the second relay device 3 included in the relay system S will be described. First, the structure of the connection management device 1 will be described. FIG. 2 is a diagram showing the structure of the connection management device 1 according to this embodiment. As shown in FIG. 2 , the connection management device 1 includes a communication unit 11 , a storage unit 12 , and a control unit 13 .
通信部11是用于与客户终端4进行通信的通信接口。The communication unit 11 is a communication interface for communicating with the client terminal 4 .
存储部12是包含ROM(Read Only Memory,只读存储器)和RAM(Random AccessMemory,随机访问存储器)等的存储介质。存储部12存储控制部13执行的程序。例如,存储部12存储有使控制部13作为认证信息管理部131、获得部132、确定部133、存储控制部134以及通知部135发挥功能的管理装置用程序。管理装置用程序是对客户终端4与对象终端5之间的通信进行中继的中继用程序的一部分。The storage unit 12 is a storage medium including ROM (Read Only Memory), RAM (Random Access Memory), and the like. The storage unit 12 stores programs executed by the control unit 13 . For example, the storage unit 12 stores a management device program that causes the control unit 13 to function as the authentication information management unit 131, the acquisition unit 132, the determination unit 133, the storage control unit 134, and the notification unit 135. The management device program is a part of a relay program that relays communication between the client terminal 4 and the target terminal 5 .
控制部13例如是CPU(Central Processing Unit,中央处理单元)。控制部13通过执行存储在存储部12中的管理装置用程序,作为认证信息管理部131、获得部132、确定部133、存储控制部134以及通知部135发挥功能。后文将描述这些功能的详细情况。The control unit 13 is, for example, a CPU (Central Processing Unit). The control unit 13 functions as the authentication information management unit 131, the acquisition unit 132, the determination unit 133, the storage control unit 134, and the notification unit 135 by executing the management device program stored in the storage unit 12. Details of these functions are described later.
[第一中继装置2的结构][Structure of first relay device 2]
接着,说明第一中继装置2的结构。图3是表示本实施方式的第一中继装置2的结构的图。如图3所示,第一中继装置2具备通信部21、存储部22和控制部23。Next, the structure of the first relay device 2 will be described. FIG. 3 is a diagram showing the structure of the first relay device 2 according to this embodiment. As shown in FIG. 3 , the first relay device 2 includes a communication unit 21 , a storage unit 22 , and a control unit 23 .
通信部21是用于与连接管理装置1、第二中继装置3、客户终端4进行通信的通信接口。The communication unit 21 is a communication interface for communicating with the connection management device 1 , the second relay device 3 , and the client terminal 4 .
存储部22是包含ROM和RAM等的存储介质。存储部22存储控制部23执行的程序。例如,存储部22存储有使控制部23作为第一中继部231发挥功能的第一中继装置用程序。第一中继装置用程序是对客户终端4与对象终端5之间的通信进行中继的中继用程序的一部分。The storage unit 22 is a storage medium including ROM, RAM, and the like. The storage unit 22 stores programs executed by the control unit 23 . For example, the storage unit 22 stores a program for the first relay device that causes the control unit 23 to function as the first relay unit 231 . The first relay device program is a part of a relay program that relays communication between the client terminal 4 and the target terminal 5 .
控制部23例如是CPU。控制部23通过执行存储在存储部22中的第一中继装置用程序,作为第一中继部231发挥功能。后文将描述第一中继部231的功能的详细情况。The control unit 23 is, for example, a CPU. The control unit 23 functions as the first relay unit 231 by executing the program for the first relay device stored in the storage unit 22 . Details of the function of the first relay unit 231 will be described later.
[第二中继装置3的结构][Structure of the second relay device 3]
接着,说明第二中继装置3的结构。图4是表示本实施方式的第二中继装置3的结构的图。如图4所示,第二中继装置3具备通信部31、存储部32和控制部33。Next, the structure of the second relay device 3 will be described. FIG. 4 is a diagram showing the structure of the second relay device 3 according to this embodiment. As shown in FIG. 4 , the second relay device 3 includes a communication unit 31 , a storage unit 32 , and a control unit 33 .
通信部31是用于与第一中继装置2、对象终端5进行通信的通信接口。The communication unit 31 is a communication interface for communicating with the first relay device 2 and the target terminal 5 .
存储部32是包含ROM和RAM等的存储介质。存储部32存储控制部33执行的程序。例如,存储部32存储有使控制部33作为第二中继部331发挥功能的第二中继装置用程序。第二中继装置用程序是对客户终端4与对象终端5之间的通信进行中继的中继用程序的一部分。The storage unit 32 is a storage medium including ROM, RAM, and the like. The storage unit 32 stores programs executed by the control unit 33 . For example, the storage unit 32 stores a program for the second relay device that causes the control unit 33 to function as the second relay unit 331 . The second relay device program is a part of the relay program that relays communication between the client terminal 4 and the target terminal 5 .
控制部33例如是CPU。控制部33通过执行存储在存储部32中的第二中继装置用程序,作为第二中继部331发挥功能。后文将描述第二中继部331的功能的详细情况。The control unit 33 is, for example, a CPU. The control unit 33 functions as the second relay unit 331 by executing the program for the second relay device stored in the storage unit 32 . Details of the function of the second relay unit 331 will be described later.
接着,详细说明连接管理装置1的控制部13、第一中继装置2的控制部23、第二中继装置3的控制部33所具有的功能。在以下的说明中,适当参照顺序图对各控制部的功能的详细情况进行说明。Next, the functions of the control unit 13 of the connection management device 1, the control unit 23 of the first relay device 2, and the control unit 33 of the second relay device 3 will be described in detail. In the following description, the details of the functions of each control unit will be described with reference to sequence diagrams as appropriate.
[认证信息的登记][Registration of certification information]
首先,说明客户终端4的登记认证信息的功能的详细情况。认证信息的登记的功能通过认证信息管理部131实现。图5是表示认证信息的登记的处理流程的顺序图。First, the details of the function of registering authentication information of the client terminal 4 will be described. The function of registering authentication information is realized by the authentication information management unit 131 . FIG. 5 is a sequence diagram showing the processing flow of registration of authentication information.
认证信息管理部131从客户终端4获得请求登记客户认证所使用的认证信息的认证信息登记请求(S1)。客户认证通过对作为在客户终端4进行通信时发送的客户信息(证书信息)的、认证系统生成的客户信息是否正确进行认证来进行。在认证信息登记请求中,例如包含表示生成客户信息的认证系统的认证系统信息、以及用于根据客户信息生成散列值的公开密钥作为认证信息。The authentication information management unit 131 obtains an authentication information registration request requesting registration of authentication information used for client authentication from the client terminal 4 (S1). Client authentication is performed by authenticating whether the client information (certificate information) sent when the client terminal 4 communicates is correct and generated by the authentication system. The authentication information registration request includes, for example, authentication system information indicating the authentication system that generates the client information and a public key for generating a hash value based on the client information as the authentication information.
认证信息管理部131在获得认证信息登记请求后,生成用于识别认证信息的认证信息ID(S2)。After obtaining the authentication information registration request, the authentication information management unit 131 generates an authentication information ID for identifying the authentication information (S2).
接着,认证信息管理部131将生成的认证信息ID与认证信息相关联地存储在存储部12中,由此进行认证信息的登记(S3)。Next, the authentication information management unit 131 stores the generated authentication information ID in the storage unit 12 in association with the authentication information, thereby registering the authentication information (S3).
接着,认证信息管理部131向客户终端4发送生成的认证信息ID(S4)。Next, the authentication information management unit 131 sends the generated authentication information ID to the client terminal 4 (S4).
[进行通信的中继的第一中继装置2的确定][Determination of the first relay device 2 for relaying communications]
接着,对客户终端4与对象终端5进行通信时的、确定进行该通信的中继的第一中继装置2的功能的详细情况进行说明。确定第一中继装置2的功能通过连接管理装置1的获得部132、确定部133、存储控制部134以及通知部135实现。图6是表示进行通信的中继的第一中继装置2的确定的处理流程的顺序图。另外,设定客户终端4的用户预先掌握识别对象终端5的SIM固有号码。Next, when the client terminal 4 communicates with the target terminal 5 , the function of determining the first relay device 2 for relaying the communication will be described in detail. The function of determining the first relay device 2 is realized by the acquisition unit 132 , the determination unit 133 , the storage control unit 134 and the notification unit 135 of the connection management device 1 . FIG. 6 is a sequence diagram showing a processing flow of determining the first relay device 2 that relays communications. In addition, the user who sets the client terminal 4 knows the SIM unique number of the identification target terminal 5 in advance.
获得部132从客户终端4获得向对象终端5的连接请求(S11)。具体而言,获得部132获得包含识别对象终端5的SIM固有号码和对象终端5进行通信时使用的对象终端5的端口号的连接请求。The obtaining unit 132 obtains the connection request to the target terminal 5 from the client terminal 4 (S11). Specifically, the obtaining unit 132 obtains a connection request including a SIM unique number for identifying the target terminal 5 and a port number of the target terminal 5 used when communicating with the target terminal 5 .
获得部132也可以从客户终端4获得连接请求以及表示与对象终端5进行连接时的连接条件的连接条件信息。具体而言,获得部132可以获得TTL(Time to live,生存时间)值和客户端地址信息中的至少一个作为连接条件信息,该TTL值作为表示客户终端4和对象终端5能够进行通信的时段的有效期信息,该客户端地址信息表示当客户终端4与对象终端5进行通信时客户终端4的IP地址的范围。The acquisition unit 132 may obtain the connection request and the connection condition information indicating the connection conditions when connecting to the target terminal 5 from the client terminal 4 . Specifically, the obtaining unit 132 can obtain at least one of a TTL (Time to live) value indicating a time period during which the client terminal 4 and the target terminal 5 can communicate, and client address information as the connection condition information. The validity period information of the client address information indicates the range of the IP address of the client terminal 4 when the client terminal 4 communicates with the target terminal 5.
此外,获得部132可以从客户终端4获得连接请求以及用于客户认证的认证信息ID。In addition, the obtaining section 132 can obtain the connection request and the authentication information ID for client authentication from the client terminal 4 .
确定部133如果获得连接请求,则在中继系统S具备的多个第一中继装置2中确定对客户终端4与对象终端5之间的通信进行中继的第一中继装置2(S12)。例如,确定部133将多个第一中继装置2中的任意一个第一中继装置2确定为对客户终端4与对象终端5之间的通信进行中继的第一中继装置2。Upon receiving the connection request, the determination unit 133 determines the first relay device 2 that relays the communication between the client terminal 4 and the target terminal 5 among the plurality of first relay devices 2 provided in the relay system S (S12 ). For example, the determination unit 133 determines any one of the plurality of first relay devices 2 as the first relay device 2 that relays the communication between the client terminal 4 and the target terminal 5 .
另外,确定部133也可以将属于客户终端4所属的地区的第一中继装置2确定为对客户终端4与对象终端5之间的通信进行中继的第一中继装置2。在这种情况下,存储部12存储将多个第一中继装置2的IP地址和配置有第一中继装置2的地区建立关联的按地区的地址信息。确定部133确定进行了连接请求的客户终端4的地址,基于该地址确定客户终端4所属的地区。确定部133参照按地区的地址信息,将属于所确定的客户终端4所属地区的多个第一中继装置2中的任意一个第一中继装置2确定为对客户终端4与对象终端5之间的通信进行中继的第一中继装置2。通过上述过程,由于客户终端4能够访问配置在同一地区的第一中继装置2,因此能够抑制客户终端4与第一中继装置2之间的通信的延迟。In addition, the determining unit 133 may determine the first relay device 2 belonging to the area to which the client terminal 4 belongs as the first relay device 2 that relays the communication between the client terminal 4 and the target terminal 5 . In this case, the storage unit 12 stores area-specific address information that associates the IP addresses of the plurality of first relay devices 2 with the areas where the first relay devices 2 are arranged. The specifying unit 133 specifies the address of the client terminal 4 that requested the connection, and specifies the area to which the client terminal 4 belongs based on the address. The determination unit 133 refers to the address information for each region, and determines any one of the plurality of first relay devices 2 belonging to the region to which the specified client terminal 4 belongs as the target terminal 4 for the client terminal 4 and the target terminal 5 . The first relay device 2 that relays communication between. Through the above process, since the client terminal 4 can access the first relay device 2 arranged in the same area, delay in communication between the client terminal 4 and the first relay device 2 can be suppressed.
另外,确定部133也可以将客户终端4签约的通信公司所运用的第一中继装置2确定为对客户终端4与对象终端5之间的通信进行中继的第一中继装置2。通过上述过程,能够抑制与客户终端4和对象终端5的通信的中继相关的成本。另外,确定部133也可以基于第一中继装置2容纳的终端的台数、或者第一中继装置2中的通信量,将负荷较少的第一中继装置2确定为对客户终端4与对象终端5之间的通信进行中继的第一中继装置2。通过上述过程,能够抑制客户终端4与第一中继装置2之间的通信的延迟。In addition, the determination unit 133 may determine the first relay device 2 operated by the communication company contracted by the client terminal 4 as the first relay device 2 that relays the communication between the client terminal 4 and the target terminal 5 . Through the above-described process, it is possible to suppress costs associated with relaying communications between the client terminal 4 and the target terminal 5 . In addition, the determination unit 133 may determine the first relay device 2 with a smaller load to be connected to the client terminal 4 and the client terminal 4 based on the number of terminals accommodated in the first relay device 2 or the communication volume in the first relay device 2 . The first relay device 2 relays communications between target terminals 5 . Through the above-mentioned process, delay in communication between the client terminal 4 and the first relay device 2 can be suppressed.
确定部133确定第一中继装置2的IP地址和端口号作为用于客户终端4与所确定的第一中继装置2连接的连接用信息(S13)。例如,确定部133通过从预先确定的范围的多个端口号中选择任意一个端口号,以确定第一中继装置2的端口号。通过上述过程,连接管理装置1能够使第三者难以确定第一中继装置2在客户终端4与对象终端5之间的通信中使用的端口号。The determining unit 133 determines the IP address and port number of the first relay device 2 as connection information for the client terminal 4 to connect to the determined first relay device 2 (S13). For example, the determination unit 133 determines the port number of the first relay device 2 by selecting any one port number from a plurality of port numbers in a predetermined range. Through the above process, the connection management device 1 can make it difficult for a third party to determine the port number used by the first relay device 2 in communication between the client terminal 4 and the target terminal 5 .
存储控制部134将收信方条目信息存储于存储部12(S14),该收信方条目信息将确定部133确定的连接用信息、获得部132获得的对象终端5的SIM固有号码、以及对象终端5的端口号建立关联。The storage control unit 134 stores the destination entry information in the storage unit 12 (S14). The destination entry information includes the connection information specified by the determination unit 133, the SIM unique number of the target terminal 5 obtained by the acquisition unit 132, and the target The port number of terminal 5 is associated.
在获得部132获得了连接条件信息的情况下,存储控制部134将该连接条件信息(与TTL对应的有效期限、客户端地址信息)与连接用信息相关联地存储。例如,在获得TTL值作为连接条件信息的情况下,存储控制部134基于当前时刻和TTL值,将客户终端4与对象终端5的能够进行通信的时段结束的时刻作为通信有效期限,并将该通信有效期限与连接用信息相关联地存储。另外,在获得部132获得认证信息ID的情况下,存储控制部134将该认证信息ID与连接用信息相关联地存储。在以下的说明中,设获得部132获得认证信息ID而进行说明。When the acquisition unit 132 acquires the connection condition information, the storage control unit 134 stores the connection condition information (validity period corresponding to TTL, client address information) in association with the connection information. For example, when the TTL value is obtained as the connection condition information, the storage control unit 134 determines the time when the communication period between the client terminal 4 and the target terminal 5 ends based on the current time and the TTL value as the communication validity period, and sets the communication validity period. The communication validity period is stored in association with the connection information. In addition, when the acquisition unit 132 acquires the authentication information ID, the storage control unit 134 stores the authentication information ID in association with the connection information. In the following description, it is assumed that the obtaining unit 132 obtains the authentication information ID.
通知部135向进行了连接请求的客户终端4通知包含确定部133所确定的第一中继装置2的IP地址和端口号的连接用信息(S15)。此外,虽然通知部135向客户终端4通知连接用信息,但是不限于此,也可以向客户终端4通知包含该连接用信息的收信方条目信息。The notification unit 135 notifies the client terminal 4 that requested the connection of the connection information including the IP address and port number of the first relay device 2 specified by the specification unit 133 (S15). In addition, the notification unit 135 notifies the client terminal 4 of the connection information, but is not limited to this, and may also notify the client terminal 4 of recipient entry information including the connection information.
[由所确定的第一中继装置2进行的通信的中继][Relay of communication by determined first relay device 2]
一旦向客户终端4通知连接用信息,则客户终端4基于该连接用信息而能够访问所确定的第一中继装置2。所确定的第一中继装置2一旦从客户终端4接收到基于连接用信息中包含的第一中继装置2的IP地址以及端口号的访问,则对客户终端4与对象终端5之间的通信进行中继。Once the connection information is notified to the client terminal 4, the client terminal 4 can access the specified first relay device 2 based on the connection information. Once the determined first relay device 2 receives an access based on the IP address and port number of the first relay device 2 included in the connection information from the client terminal 4, the connection between the client terminal 4 and the target terminal 5 is Communications are relayed.
具体而言,第一中继装置2的第一中继部231从客户终端4获得基于连接用信息的连接请求,从而一旦接收到来自客户终端4的访问,则基于在连接管理装置1的存储部12中与连接用信息相关联的SIM固有号码,对客户终端4与对象终端5之间的通信进行中继。第一中继部231基于该SIM固有号码确定与对象终端5连接的第二中继装置3,并经由所确定的第二中继装置3对客户终端4与对象终端5之间的通信进行中继。Specifically, the first relay unit 231 of the first relay device 2 obtains a connection request based on the connection information from the client terminal 4, and upon receiving an access from the client terminal 4, based on the information stored in the connection management device 1 The SIM-specific number associated with the connection information in the unit 12 relays communication between the client terminal 4 and the target terminal 5 . The first relay unit 231 determines the second relay device 3 connected to the target terminal 5 based on the SIM unique number, and performs communication between the client terminal 4 and the target terminal 5 via the determined second relay device 3 Continue.
以下,说明通信的中继的功能的详细情况。通信的中继的功能通过连接管理装置1的获得部132、确定部133、通知部135、第一中继装置2的第一中继部231、第二中继装置3的第二中继部331实现。图7是表示通信的中继的处理流程的顺序图。The following describes the details of the communication relay function. The communication relay function is provided by the acquisition unit 132, the determination unit 133, and the notification unit 135 of the connection management device 1, the first relay unit 231 of the first relay device 2, and the second relay unit of the second relay device 3. 331 realized. FIG. 7 is a sequence diagram showing a processing flow of communication relay.
第一中继装置2的第一中继部231从客户终端4获得基于连接用信息的连接请求,由此接收来自客户终端4的访问(S21)。具体而言,第一中继部231通过连接用信息中包含的第一中继装置2的端口号的端口从客户终端4获得连接请求。该连接请求中包含证明客户终端4合格的客户信息。客户信息例如是证书信息。The first relay unit 231 of the first relay device 2 obtains a connection request based on the connection information from the client terminal 4, thereby receiving access from the client terminal 4 (S21). Specifically, the first relay unit 231 obtains the connection request from the client terminal 4 through the port number of the first relay device 2 included in the connection information. This connection request contains client information proving that the client terminal 4 is qualified. The customer information is, for example, certificate information.
接着,第一中继部231向连接管理装置1发送为了进行通信的中继而使用的中继用信息的获得请求(S22)。在中继用信息的获得请求中,包含分配至第一中继装置2的IP地址、以及在与客户终端4的通信中使用的端口的端口号。中继用信息是包含客户终端4的通信目的地即对象终端5的SIM固有号码、对象终端5的端口号、连接条件信息、第二中继装置3的IP地址的信息。Next, the first relay unit 231 sends a request to obtain relay information used for relaying communication to the connection management device 1 (S22). The request for obtaining the relay information includes the IP address assigned to the first relay device 2 and the port number of the port used for communication with the client terminal 4 . The relay information is information including the SIM unique number of the target terminal 5 that is the communication destination of the client terminal 4, the port number of the target terminal 5, connection condition information, and the IP address of the second relay device 3.
连接管理装置1的获得部132从第一中继装置2获得中继用信息的获得请求。连接管理装置1的确定部133参照存储在存储部12中的收信方条目信息,确定与中继用信息的获得请求中包含的第一中继装置2的IP地址和端口号相关联的对象终端5的SIM固有号码、对象终端5的端口号、连接条件信息以及认证信息ID(S23)。The acquisition unit 132 of the connection management device 1 acquires an acquisition request for relay information from the first relay device 2 . The determination unit 133 of the connection management device 1 refers to the recipient entry information stored in the storage unit 12 and determines the object associated with the IP address and port number of the first relay device 2 included in the request for obtaining the relay information. The SIM unique number of the terminal 5, the port number of the target terminal 5, the connection condition information, and the authentication information ID (S23).
接着,确定部133基于所确定的对象终端5的SIM固有号码确定与对象终端5连接的第二中继装置3(S24)。具体而言,确定部133在移动网络中参照对分别与多个第二中继装置3连接的一个以上的对象终端5进行管理的连接管理信息,确定与所确定的SIM固有号码的对象终端5连接的第二中继装置3的IP地址。Next, the determining unit 133 determines the second relay device 3 connected to the target terminal 5 based on the specified SIM unique number of the target terminal 5 (S24). Specifically, the determination unit 133 refers to the connection management information for managing one or more target terminals 5 respectively connected to the plurality of second relay devices 3 in the mobile network, and specifies the target terminal 5 with the specified SIM-specific number. The IP address of the connected second relay device 3.
连接管理信息例如由4G核心网络的P-GW(Packet data network GateWay,分组数据网网关)、5G核心网络中的UPF(User Plane Function,用户平面功能)提供,但是也可以由连接管理装置1管理。The connection management information is provided by, for example, the P-GW (Packet data network GateWay) of the 4G core network and the UPF (User Plane Function) of the 5G core network, but it can also be managed by the connection management device 1 .
接着,通知部135向第一中继装置2通知包含确定部133确定的对象终端5的SIM固有号码、对象终端5的端口号、连接条件信息、第二中继装置3的IP地址的中继用信息(S25)。Next, the notification unit 135 notifies the first relay device 2 of the relay including the SIM unique number of the target terminal 5 , the port number of the target terminal 5 , the connection condition information, and the IP address of the second relay device 3 specified by the determination unit 133 . Use information (S25).
第一中继装置2的第一中继部231如果获得中继用信息,则判定是否满足该中继用信息中包含的连接条件信息所表示的连接条件(S26)。第一中继部231如果判定为满足连接条件,则将处理转移到S28,继续对客户终端4与对象终端5之间的通信进行中继的处理。第一中继部231如果判定为不满足连接条件,则向客户终端4通知表示不能进行客户终端4与对象终端5之间的连接的连接错误信息(S27)。After obtaining the relay information, the first relay unit 231 of the first relay device 2 determines whether the connection condition represented by the connection condition information included in the relay information is satisfied (S26). If the first relay unit 231 determines that the connection condition is satisfied, the process proceeds to S28 and continues the process of relaying the communication between the client terminal 4 and the target terminal 5 . If the first relay unit 231 determines that the connection condition is not satisfied, it notifies the client terminal 4 of connection error information indicating that the connection between the client terminal 4 and the target terminal 5 is impossible (S27).
具体而言,第一中继部231判定客户终端4的IP地址是否与连接条件信息中包含的客户端地址信息对应。第一中继部231在客户终端4的IP地址包含在客户端地址信息所表示的IP地址的范围内的情况下,判定为客户终端4的IP地址与客户端地址信息对应。Specifically, the first relay unit 231 determines whether the IP address of the client terminal 4 corresponds to the client address information included in the connection condition information. When the IP address of the client terminal 4 is included in the range of IP addresses indicated by the client address information, the first relay unit 231 determines that the IP address of the client terminal 4 corresponds to the client address information.
第一中继部231一旦判定为客户终端4的IP地址不与客户端地址信息对应,即客户终端4的IP地址不包含在客户端地址信息所表示的IP地址的范围内,则向客户终端4通知连接错误信息,并切断客户终端4与对象终端5之间的通信。通过上述过程,由于当存在来自具有不包含在客户端地址信息所表示的IP地址的范围内的IP地址的终端的访问时第一中继装置2不进行与对象终端5的通信,因此能够提高安全性。Once the first relay unit 231 determines that the IP address of the client terminal 4 does not correspond to the client address information, that is, the IP address of the client terminal 4 is not included in the range of IP addresses represented by the client address information, it sends a request to the client terminal. 4 notifies the connection error message and cuts off the communication between the client terminal 4 and the target terminal 5. Through the above process, since the first relay device 2 does not perform communication with the target terminal 5 when there is an access from a terminal having an IP address not included in the range of the IP address indicated by the client address information, it is possible to improve the safety.
另外,第一中继部231基于在S23中确定的认证信息ID和连接请求中包含的客户信息判定客户终端4是否合格。具体而言,第一中继部231向连接管理装置1发送请求获得包含认证信息ID的认证信息的认证信息获得请求。连接管理装置1的认证信息管理部131一旦获得认证信息获得请求,则将在存储部12中作为与该认证信息ID相关联地存储的认证信息的认证系统信息以及公开密钥发送至第一中继装置2。In addition, the first relay unit 231 determines whether the client terminal 4 is qualified based on the authentication information ID determined in S23 and the client information included in the connection request. Specifically, the first relay unit 231 transmits an authentication information acquisition request requesting the acquisition of authentication information including the authentication information ID to the connection management device 1 . Upon receiving the authentication information acquisition request, the authentication information management unit 131 of the connection management device 1 sends the authentication system information and the public key as the authentication information stored in the storage unit 12 in association with the authentication information ID to the first center. Relay device 2.
第一中继部231一旦获得认证信息,则基于客户信息判定客户终端4是否合格。例如,第一中继部231基于认证信息中包含的公共密钥根据客户信息生成散列值。然后,第一中继部231通过判定该散列值是否与在认证系统中保管的客户终端4的散列值一致来判定客户终端4是否合格。第一中继部231一旦判定客户终端4不合格,则向客户终端4通知连接错误信息,并切断客户终端4与对象终端5之间的通信。Once the first relay unit 231 obtains the authentication information, it determines whether the client terminal 4 is qualified based on the client information. For example, the first relay unit 231 generates a hash value from the client information based on the public key included in the authentication information. Then, the first relay unit 231 determines whether the hash value matches the hash value of the client terminal 4 stored in the authentication system, thereby determining whether the client terminal 4 is qualified. Once the first relay unit 231 determines that the client terminal 4 is unqualified, it notifies the client terminal 4 of connection error information and cuts off communication between the client terminal 4 and the target terminal 5 .
第一中继部231一旦判定为客户终端4的IP地址与客户地址信息对应并且客户终端4合格,则将处理转移到S28。然后,第一中继部231基于从连接管理装置1获得的中继用信息中包含的对象终端5的IP地址和对象终端5的端口号,通过TCP连接建立与对象终端5的连接。Once the first relay unit 231 determines that the IP address of the client terminal 4 corresponds to the client address information and the client terminal 4 is qualified, the process proceeds to S28. Then, the first relay unit 231 establishes a connection with the target terminal 5 through the TCP connection based on the IP address of the target terminal 5 and the port number of the target terminal 5 included in the relay information obtained from the connection management device 1 .
具体而言,第一中继部231基于在S25中从连接管理装置1获得的中继用信息中包含的第二中继装置3的IP地址,建立与第二中继装置3的连接(S28)。Specifically, the first relay unit 231 establishes a connection with the second relay device 3 based on the IP address of the second relay device 3 included in the relay information obtained from the connection management device 1 in S25 (S28 ).
第一中继部231一旦建立与第二中继装置3的连接,则向该第二中继装置3通知中继用信息中包含的对象终端5的IP地址以及对象终端5的端口号。第二中继装置3的第二中继部331基于从第一中继装置2通知的对象终端5的IP地址以及对象终端5的端口号,建立与对象终端5的连接(S29)。Once the connection with the second relay device 3 is established, the first relay unit 231 notifies the second relay device 3 of the IP address of the target terminal 5 and the port number of the target terminal 5 included in the relay information. The second relay unit 331 of the second relay device 3 establishes a connection with the target terminal 5 based on the IP address of the target terminal 5 and the port number of the target terminal 5 notified from the first relay device 2 (S29).
一旦S28及S29的处理完成,则建立客户终端4与对象终端5的连接(S30)。第一中继装置2的第一中继部231和第二中继装置3的第二中继部331对客户终端4与对象终端5之间的通信进行中继。由此,客户终端4能够向对象终端5进行指令发送,或者与对象终端5进行数据的收发。Once the processes of S28 and S29 are completed, the connection between the client terminal 4 and the target terminal 5 is established (S30). The first relay unit 231 of the first relay device 2 and the second relay unit 331 of the second relay device 3 relay communication between the client terminal 4 and the target terminal 5 . This allows the client terminal 4 to send commands to the target terminal 5 or to transmit and receive data with the target terminal 5 .
第一中继装置2的第一中继部231基于对象终端5的私有IP地址,对从第一中继装置2到对象终端5进行利用通信公司的闭域网的第一中继装置2与对象终端5之间的通信,由此对客户终端4与对象终端5之间的通信进行中继。The first relay unit 231 of the first relay device 2 connects the first relay device 2 and the target terminal 5 using the closed area network of the communication company from the first relay device 2 to the target terminal 5 based on the private IP address of the target terminal 5 . The communication between the target terminals 5 thereby relays the communication between the client terminal 4 and the target terminal 5 .
第一中继部231在对客户终端4与对象终端5之间的通信进行中继的情况下,基于连接条件信息中包含的通信有效期限,判定是否可以进行客户终端4与对象终端5之间的通信。第一中继部231一旦判定为能够进行通信,则对客户终端4与对象终端5之间的通信进行中继。第一中继部231一旦判定为不能通信,则切断客户终端4与对象终端5之间的通信。第一中继部231在切断客户终端4与对象终端5之间的通信的情况下,向客户终端4通知连接错误信息。这样,由于第一中继装置2根据超过了通信有效期限而切断客户终端4与对象终端5之间的通信,因此与不设置通信有效期限的情况相比,能够提高安全性。When relaying communication between the client terminal 4 and the target terminal 5 , the first relay unit 231 determines whether communication between the client terminal 4 and the target terminal 5 is possible based on the communication validity period included in the connection condition information. Communication. Once the first relay unit 231 determines that communication is possible, it relays the communication between the client terminal 4 and the target terminal 5 . Once the first relay unit 231 determines that communication is impossible, it cuts off the communication between the client terminal 4 and the target terminal 5 . When the communication between the client terminal 4 and the target terminal 5 is cut off, the first relay unit 231 notifies the client terminal 4 of connection error information. In this way, since the first relay device 2 cuts off the communication between the client terminal 4 and the target terminal 5 based on the expiration of the communication validity period, security can be improved compared to the case where the communication validity period is not set.
另外,客户终端4在进行与对象终端5的通信的情况下,也可以向第一中继装置2发送通过SSL(Secure Socket Layer,安全套接字层)或TLS(Transport Layer Security,传输层安全协议)加密后的数据。在这种情况下,第一中继部231在自身与客户终端4之间对数据进行加密而进行通信,在自身与对象终端5之间不对数据进行加密而进行通信,由此对客户终端4与对象终端5之间的通信进行中继。In addition, when communicating with the target terminal 5 , the client terminal 4 may also send a message to the first relay device 2 through SSL (Secure Socket Layer, Secure Socket Layer) or TLS (Transport Layer Security, Transport Layer Security). protocol) encrypted data. In this case, the first relay unit 231 communicates with the client terminal 4 by encrypting the data, and communicates with the target terminal 5 without encrypting the data. Thus, the first relay unit 231 communicates with the client terminal 4 Communication with the target terminal 5 is relayed.
如上所述,由于第一中继装置2与对象终端5之间能够基于对象终端5的私有IP地址进行通信,因此即使在第一中继装置2与对象终端5之间不进行数据的加密也能够进行安全的通信。另外,对象终端5也可以不进行基于SSL或TLS的加密,因此即使在对象终端5不与SSL或TLS对应的情况下,也能够进行安全的通信。As described above, since the first relay device 2 and the target terminal 5 can communicate based on the private IP address of the target terminal 5, even if the data is not encrypted between the first relay device 2 and the target terminal 5, Able to communicate securely. In addition, the target terminal 5 does not need to perform encryption based on SSL or TLS. Therefore, secure communication can be performed even when the target terminal 5 does not support SSL or TLS.
[变形例1][Modification 1]
在以上的说明中,第一中继装置2的第一中继部231从客户终端4获得包含认证信息ID的连接请求,但是不限于此。关于在连接请求中是否包含认证信息ID,可以是可选的,也可以在连接请求中不包含认证信息ID。当在连接请求中不包含认证信息ID的情况下,第一中继部231也可以不进行基于认证信息ID的能否中继的判定。In the above description, the first relay unit 231 of the first relay device 2 obtains the connection request including the authentication information ID from the client terminal 4, but it is not limited to this. Regarding whether to include the authentication information ID in the connection request, it may be optional, or the authentication information ID may not be included in the connection request. When the authentication information ID is not included in the connection request, the first relay unit 231 may not determine whether relaying is possible based on the authentication information ID.
[变形例2][Modification 2]
第一中继装置2的第一中继部231也可以从客户终端4获得表示使基于连接用信息的客户终端4与对象终端5之间的通信无效的指示信息。在这种情况下,第一中继部231切断与该连接用信息对应的客户终端4和对象终端5之间的中继。The first relay unit 231 of the first relay device 2 may obtain instruction information indicating that communication between the client terminal 4 and the target terminal 5 based on the connection information is invalidated from the client terminal 4 . In this case, the first relay unit 231 cuts off the relay between the client terminal 4 and the target terminal 5 corresponding to the connection information.
[变形例3][Modification 3]
在上述的说明中,对中继第一中继装置2与一台对象终端5的通信的示例进行了说明,但是不限于此,也可以是对第一中继装置2与多个对象终端5之间的通信进行中继。在这种情况下,连接管理装置1对一个客户终端4管理多个对象终端5各自的连接用信息、通信有效期限等。然后,对应于多个对象终端5的每一个进行图7所示的处理,建立客户终端4和多个对象终端5中的每一个的连接。在这种情况下,第一中继装置2的第一中继部231也可以获得表示向多个对象终端5中的每一个的连接请求的一个连接请求,并基于该连接请求建立第一中继装置2与多个对象终端5中的每一个之间的连接。由此,客户终端4能够对建立了连接的多个对象终端5中的每一个进行命令发送,或者进行数据的收发。In the above description, an example is described in which the communication between the first relay device 2 and one target terminal 5 is relayed. However, the invention is not limited to this, and the first relay device 2 and a plurality of target terminals 5 may also be relayed. communication between them. In this case, the connection management device 1 manages the connection information, communication validity period, etc. of each of the plurality of target terminals 5 for one client terminal 4 . Then, the process shown in FIG. 7 is performed corresponding to each of the plurality of target terminals 5, and a connection between the client terminal 4 and each of the plurality of target terminals 5 is established. In this case, the first relay unit 231 of the first relay device 2 may obtain one connection request indicating a connection request to each of the plurality of target terminals 5 and establish the first connection request based on the connection request. The connection between the relay device 2 and each of the plurality of target terminals 5. Thereby, the client terminal 4 can transmit a command or transmit and receive data to each of the plurality of target terminals 5 to which the connection has been established.
[变形例4][Modification 4]
在上述的说明中,作为进行客户终端4和对象终端5之间的中继时的网络结构,以从第一中继装置2到对象终端5是通信公司的闭域网这种网络结构为例进行了说明,但是不限于此。例如,也可以在将从第一中继装置2到第二中继装置3设为闭域网的网络结构、在闭域网中仅具备第一中继装置2和第二中继装置3的网络结构、在闭域网内具备第一中继装置2和第二中继装置3中的某一个与连接管理装置1的网络结构等各种网络结构中,进行客户终端4与对象终端5之间的中继。In the above description, as a network structure when relaying between the client terminal 4 and the target terminal 5 , a network structure in which the first relay device 2 to the target terminal 5 is a closed area network of a communication company is taken as an example. has been described, but is not limited thereto. For example, a network structure in which the first relay device 2 to the second relay device 3 is a closed area network may be provided, and the closed area network may include only the first relay device 2 and the second relay device 3. In various network structures, such as a network structure including one of the first relay device 2 and the second relay device 3 and the connection management device 1 in a closed area network, the communication between the client terminal 4 and the target terminal 5 is performed. relay between.
[本实施方式的效果][Effects of this embodiment]
如上所述,在本实施方式的中继系统S中,连接管理装置1一旦从客户终端4获得识别对象终端5的SIM固有号码,则在中继系统S所具备的多个第一中继装置2中确定对通信进行中继的第一中继装置2,将用于客户终端4与该第一中继装置2连接的连接用信息与SIM固有号码相关联地存储在存储部12中,并且向客户终端4通知该连接用信息。所确定的第一中继装置2一旦从客户终端4接收到基于连接用信息的访问,则基于在存储部12中与该连接用信息相关联的SIM固有号码,对客户终端4与对象终端5之间的通信进行中继。As described above, in the relay system S of the present embodiment, once the connection management device 1 obtains the SIM unique number of the identification target terminal 5 from the client terminal 4, the plurality of first relay devices included in the relay system S 2 determines the first relay device 2 to relay the communication, stores the connection information for connecting the client terminal 4 to the first relay device 2 in the storage unit 12 in association with the SIM unique number, and The client terminal 4 is notified of the connection information. Once the determined first relay device 2 receives access based on the connection information from the client terminal 4, it communicates with the client terminal 4 and the target terminal 5 based on the SIM unique number associated with the connection information in the storage unit 12. communication between them.
通过上述过程,由于向客户终端4通知的连接用信息不总是相同的信息,因此第三者难以推测用于与对象终端5的通信的连接用信息。因此,客户终端4能够安全地访问对象终端5。Through the above process, since the connection information notified to the client terminal 4 is not always the same information, it is difficult for a third party to guess the connection information used for communication with the target terminal 5 . Therefore, the client terminal 4 can access the target terminal 5 safely.
另外,中继系统S的第一中继装置2一旦从客户终端4接收到基于包含第一中继装置2的IP地址以及端口号的连接用信息的访问,则基于与该连接用信息相关联的SIM固有号码,通过TCP连接建立客户终端4与对象终端5的通信连接。由此,中继系统S能够不对IP协议上的全部通信进行网络隧道传输,而以一个TCP连接为单位建立通信,因此与VPN这样的现有通信方法相比,能够将成本抑制得较低。另外,中继系统S与VPN或其他进行网络隧道传输的通信解决方案相比,可以无需通信开销的增大或为了对访问目的地的设备追加功能而进行安装。In addition, once the first relay device 2 of the relay system S receives an access based on the connection information including the IP address and port number of the first relay device 2 from the client terminal 4, based on the connection information associated with the first relay device 2 The SIM unique number establishes a communication connection between the client terminal 4 and the target terminal 5 through a TCP connection. As a result, the relay system S can establish communication in units of one TCP connection without performing network tunneling for all communications on the IP protocol. Therefore, the cost can be kept lower compared to existing communication methods such as VPNs. In addition, compared with VPN or other communication solutions that perform network tunneling, the relay system S does not require an increase in communication overhead or installation to add functions to the device at the access destination.
以上,使用实施方式说明了本发明,但本发明的技术范围不限于上述实施方式中记载的范围,本发明的技术范围在其主旨的范围内可以进行各种变形和修改。例如,装置的全部或一部分可以在功能上或物理上分布/整合在任意单元中。另外,由多个实施方式的任意组合产生的新的实施方式也包含在本发明的实施方式中。由组合产生的新的实施方式的效果兼具原来实施方式的效果。As mentioned above, the present invention has been described using the embodiments. However, the technical scope of the present invention is not limited to the range described in the above-mentioned embodiments, and various modifications and variations are possible within the technical scope of the present invention. For example, all or part of the device may be functionally or physically distributed/integrated in any unit. In addition, new embodiments resulting from arbitrary combinations of a plurality of embodiments are also included in the embodiments of the present invention. The effect of the new embodiment produced by the combination has the effects of the original embodiment.
附图标记Reference signs
1…连接管理装置、11…通信部;12…存储部;13…控制部;131…认证信息管理部、132…获得部、133…确定部、134…存储控制部、135…通知部、2…第一中继装置、21…通信部、22…存储部、23…控制部、231…第一中继部、3…第二中继装置、31…通信部、32…存储部、33…控制部、331…第二中继部、4…客户终端、5…对象终端、S…中继系统。1... connection management device, 11... communication unit; 12... storage unit; 13... control unit; 131... authentication information management unit, 132... acquisition unit, 133... determination unit, 134... storage control unit, 135... notification unit, 2 ...first relay device, 21...communication part, 22...storage part, 23...control part, 231...first relay part, 3...second relay device, 31...communication part, 32...storage part, 33... Control unit, 331... second relay unit, 4... client terminal, 5... target terminal, S... relay system.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311789731.4ACN117750462A (en) | 2019-07-01 | 2020-06-15 | Relay method, relay system, and relay program |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP2019122756AJP7209593B2 (en) | 2019-07-01 | 2019-07-01 | Relay method, relay system, and relay program |
| JP2019-122756 | 2019-07-01 | ||
| PCT/JP2020/023417WO2021002180A1 (en) | 2019-07-01 | 2020-06-15 | Relay method, relay system, and relay program |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311789731.4ADivisionCN117750462A (en) | 2019-07-01 | 2020-06-15 | Relay method, relay system, and relay program |
| Publication Number | Publication Date |
|---|---|
| CN113348689A CN113348689A (en) | 2021-09-03 |
| CN113348689Btrue CN113348689B (en) | 2024-01-16 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202080009856.9AActiveCN113348689B (en) | 2019-07-01 | 2020-06-15 | Relay method, relay system, and relay program |
| CN202311789731.4APendingCN117750462A (en) | 2019-07-01 | 2020-06-15 | Relay method, relay system, and relay program |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311789731.4APendingCN117750462A (en) | 2019-07-01 | 2020-06-15 | Relay method, relay system, and relay program |
| Country | Link |
|---|---|
| US (3) | US11792206B2 (en) |
| EP (1) | EP3902213A4 (en) |
| JP (3) | JP7209593B2 (en) |
| CN (2) | CN113348689B (en) |
| WO (1) | WO2021002180A1 (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230094059A1 (en)* | 2020-01-28 | 2023-03-30 | Nippon Telegraph And Telephone Corporation | Transfer apparatus, data processing method and program |
| US11844064B2 (en)* | 2021-04-16 | 2023-12-12 | Qualcomm Incorporated | Parameter(s) for relaying operation |
| CN118764986A (en)* | 2022-03-18 | 2024-10-11 | Oppo广东移动通信有限公司 | Relay communication method, initiating terminal, relay terminal and target terminal |
| KR20230174919A (en)* | 2022-06-22 | 2023-12-29 | 주식회사 케이티 | ROUTER, METHOD AND COMPUTER PROGRAM FOR SUPPORTING REMOTE ACCESS TO IoT EQUIPMENT CONNECTED TO PRIVATE NETWORKS |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2012227834A (en)* | 2011-04-21 | 2012-11-15 | Murata Mach Ltd | Relay server and relay communication system |
| CN103503384A (en)* | 2011-04-21 | 2014-01-08 | 村田机械株式会社 | Relay server and relay communication system |
| CN105684549A (en)* | 2013-11-05 | 2016-06-15 | 夏普株式会社 | Terminal device, relay terminal device, and communication control method |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7877794B2 (en)* | 2004-11-29 | 2011-01-25 | International Business Machines Corporation | Relay apparatus, relay method and program therefor |
| CN101128805B (en)* | 2005-02-24 | 2010-05-12 | 富士通株式会社 | Connect Support Devices and Gateway Devices |
| JP4663383B2 (en)* | 2005-04-13 | 2011-04-06 | 株式会社日立製作所 | Home gateway device, control method for home gateway device, and control method for communication system |
| JP4513658B2 (en)* | 2005-06-14 | 2010-07-28 | 株式会社日立製作所 | Home gateway apparatus and home network access control system |
| JP4406850B2 (en)* | 2007-12-25 | 2010-02-03 | 村田機械株式会社 | Relay server and relay communication system |
| US9148335B2 (en) | 2008-09-30 | 2015-09-29 | Qualcomm Incorporated | Third party validation of internet protocol addresses |
| JP5731949B2 (en) | 2011-11-01 | 2015-06-10 | 日本電信電話株式会社 | Secure access system and secure access method |
| JP5764085B2 (en)* | 2012-03-26 | 2015-08-12 | 西日本電信電話株式会社 | Port open / close control system |
| US9100863B2 (en)* | 2012-12-20 | 2015-08-04 | T-Mobile Usa, Inc. | Cellular backhaul load distribution |
| EP3240248B1 (en) | 2014-12-24 | 2023-12-06 | NTT Communications Corporation | Load balancer, load balancing method and program |
| JP2016139386A (en)* | 2015-01-29 | 2016-08-04 | 富士ゼロックス株式会社 | Device management system, relay device and program |
| JP2016146565A (en) | 2015-02-09 | 2016-08-12 | 株式会社リコー | Management system, communication system, management method, and program |
| JP2017069932A (en)* | 2015-10-02 | 2017-04-06 | 株式会社リコー | Transmission management system, relay device selection method, and program |
| JP5973049B1 (en) | 2015-11-12 | 2016-08-23 | ソフトバンク株式会社 | Communication system and program using IoT device |
| TWI625950B (en)* | 2016-08-04 | 2018-06-01 | 群暉科技股份有限公司 | Method and apparatus for forwarding packets by means of network address translation in a network system |
| JP2018152691A (en) | 2017-03-13 | 2018-09-27 | 日本電気株式会社 | Control apparatus |
| IT201800001995U1 (en) | 2018-02-28 | 2019-08-28 | MULTIPLE POLISHING HEAD |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2012227834A (en)* | 2011-04-21 | 2012-11-15 | Murata Mach Ltd | Relay server and relay communication system |
| CN103503384A (en)* | 2011-04-21 | 2014-01-08 | 村田机械株式会社 | Relay server and relay communication system |
| CN105684549A (en)* | 2013-11-05 | 2016-06-15 | 夏普株式会社 | Terminal device, relay terminal device, and communication control method |
| Publication number | Publication date |
|---|---|
| EP3902213A1 (en) | 2021-10-27 |
| EP3902213A4 (en) | 2022-03-30 |
| JP7476366B2 (en) | 2024-04-30 |
| US11792206B2 (en) | 2023-10-17 |
| US20230421569A1 (en) | 2023-12-28 |
| JP2021010100A (en) | 2021-01-28 |
| US12166770B2 (en) | 2024-12-10 |
| WO2021002180A1 (en) | 2021-01-07 |
| JP7209593B2 (en) | 2023-01-20 |
| US20210336967A1 (en) | 2021-10-28 |
| CN117750462A (en) | 2024-03-22 |
| CN113348689A (en) | 2021-09-03 |
| JP2023052288A (en) | 2023-04-11 |
| US20250063052A1 (en) | 2025-02-20 |
| JP2024086933A (en) | 2024-06-28 |
| Publication | Publication Date | Title |
|---|---|---|
| CN113348689B (en) | Relay method, relay system, and relay program | |
| CN110800331B (en) | Network verification method, related equipment and system | |
| US9197639B2 (en) | Method for sharing data of device in M2M communication and system therefor | |
| KR101202671B1 (en) | Remote access system and method for enabling a user to remotely access a terminal equipment from a subscriber terminal | |
| US8438614B2 (en) | Communication system, relay apparatus, terminal apparatus and computer readable medium | |
| US9204345B1 (en) | Socially-aware cloud control of network devices | |
| US11302451B2 (en) | Internet of things connectivity device and method | |
| JP4339234B2 (en) | VPN connection construction system | |
| CN101401385A (en) | Method for personal network management across multiple operators | |
| JP7728625B2 (en) | Apparatus, method and program for remotely managing devices | |
| US20150195282A1 (en) | Technique for configuring secured access to a host network for an invited terminal | |
| JP2023519997A (en) | Method and communication apparatus for securing terminal parameter updates | |
| CN116888922A (en) | Service authorization method, system and communication device | |
| CN109936515B (en) | Access configuration method, information providing method and device | |
| WO2016109609A1 (en) | System and method for providing authenticated communications from a remote device to a local device | |
| JP2003078570A (en) | Service providing method, relay device and service providing device | |
| WO2013189398A2 (en) | Application data push method, device, and system | |
| WO2011017921A1 (en) | System and method for visiting a visited service provider | |
| CN118303013A (en) | Control method and transmission method and entity configured to implement these methods | |
| US20190208489A1 (en) | Registration management method and device | |
| WO2021188081A1 (en) | Method and system of verifying mobile phone information of users who are connected to the internet with a wired/wireless gateway other than the gsm mobile network with a mobile device in the gsm mobile network area | |
| US10841283B2 (en) | Smart sender anonymization in identity enabled networks | |
| ES2340311T3 (en) | A METHOD TO ENSURE COMMUNICATION BETWEEN AN ACCESS NETWORK AND A CENTRAL NETWORK. | |
| US20250106009A1 (en) | Group-Based Network Access Management | |
| JP6920614B2 (en) | Personal authentication device, personal authentication system, personal authentication program, and personal authentication method |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |